Last night when I was working on the script for doing more granular delegations for the confidentiality bit I ran out to google to look one of the constants or something up and ran into a post of a friend of mine in the newsgroups from a couple of years ago. I didn’t see it then or else I would have responded. So I responded today to him. 🙂
Then I thought, surely this is documented now. I went looking around and couldn’t find anything anywhere so I am going to do a little write up here so that I remember it and it is found by others who need to look.
The issue is around the “Invalid class string” error. It is error code 0x800401f3 or CO_E_CLASSSTRING. You hit it when you try to assign the SD to the nTSecurityDescriptor attribute like so
(perl)
$obj->LetProperty('nTSecurityDescriptor',[$sd]);
or
(also perl)
$obj->{nTSecurityDescriptor}=[$sd];
or
(vbscript)
adsBase.put "nTSecurityDescriptor",sd
What I have found on different occasions is that the issue comes down to what you have set on ObjectType and InheritedObjectType. The format of these properties is supposed to be a GUID in string format like {BF967950-0DE6-11D0-A285-00AA003049E2}. So if you aren’t following that format, expect that error.
Now something else that you wouldn’t expect because it goes against standard programming practices is the idea of “blanking” out a value. I am quite used to doing things like
var1=""
var2=""
var3=""
regardless of language.
However if you do that with ObjectType and InheritedObjectType and you don’t set a GUID over the top of it, then you will get that beautiful “Invalid Class String” error above. So for a real example, don’t do something like this.
set addace = CreateObject("AccessControlEntry")
addace.Trustee="domain\user"
addace.Flags=1
addace.ObjectType="{BF967950-0DE6-11D0-A285-00AA003049E2}"
addace.InheritedObjectType=""
addace.AceType=5
addace.AceFlags=0
addace.AccessMask=32
Note the line
addace.InheritedObjectType=""
that is enough to cause ADSI to throw an error.
joe
